SemaAccess.cpp revision 637619b915888ead5576d19508644e4eb9024078
1//===---- SemaAccess.cpp - C++ Access Control -------------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file provides Sema routines for C++ access control semantics. 11// 12//===----------------------------------------------------------------------===// 13 14#include "clang/Sema/SemaInternal.h" 15#include "clang/AST/ASTContext.h" 16#include "clang/AST/CXXInheritance.h" 17#include "clang/AST/DeclCXX.h" 18#include "clang/AST/DeclFriend.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/DependentDiagnostic.h" 21#include "clang/AST/ExprCXX.h" 22#include "clang/Sema/DelayedDiagnostic.h" 23#include "clang/Sema/Initialization.h" 24#include "clang/Sema/Lookup.h" 25 26using namespace clang; 27using namespace sema; 28 29/// A copy of Sema's enum without AR_delayed. 30enum AccessResult { 31 AR_accessible, 32 AR_inaccessible, 33 AR_dependent 34}; 35 36/// SetMemberAccessSpecifier - Set the access specifier of a member. 37/// Returns true on error (when the previous member decl access specifier 38/// is different from the new member decl access specifier). 39bool Sema::SetMemberAccessSpecifier(NamedDecl *MemberDecl, 40 NamedDecl *PrevMemberDecl, 41 AccessSpecifier LexicalAS) { 42 if (!PrevMemberDecl) { 43 // Use the lexical access specifier. 44 MemberDecl->setAccess(LexicalAS); 45 return false; 46 } 47 48 // C++ [class.access.spec]p3: When a member is redeclared its access 49 // specifier must be same as its initial declaration. 50 if (LexicalAS != AS_none && LexicalAS != PrevMemberDecl->getAccess()) { 51 Diag(MemberDecl->getLocation(), 52 diag::err_class_redeclared_with_different_access) 53 << MemberDecl << LexicalAS; 54 Diag(PrevMemberDecl->getLocation(), diag::note_previous_access_declaration) 55 << PrevMemberDecl << PrevMemberDecl->getAccess(); 56 57 MemberDecl->setAccess(LexicalAS); 58 return true; 59 } 60 61 MemberDecl->setAccess(PrevMemberDecl->getAccess()); 62 return false; 63} 64 65static CXXRecordDecl *FindDeclaringClass(NamedDecl *D) { 66 DeclContext *DC = D->getDeclContext(); 67 68 // This can only happen at top: enum decls only "publish" their 69 // immediate members. 70 if (isa<EnumDecl>(DC)) 71 DC = cast<EnumDecl>(DC)->getDeclContext(); 72 73 CXXRecordDecl *DeclaringClass = cast<CXXRecordDecl>(DC); 74 while (DeclaringClass->isAnonymousStructOrUnion()) 75 DeclaringClass = cast<CXXRecordDecl>(DeclaringClass->getDeclContext()); 76 return DeclaringClass; 77} 78 79namespace { 80struct EffectiveContext { 81 EffectiveContext() : Inner(0), Dependent(false) {} 82 83 explicit EffectiveContext(DeclContext *DC) 84 : Inner(DC), 85 Dependent(DC->isDependentContext()) { 86 87 // C++ [class.access.nest]p1: 88 // A nested class is a member and as such has the same access 89 // rights as any other member. 90 // C++ [class.access]p2: 91 // A member of a class can also access all the names to which 92 // the class has access. A local class of a member function 93 // may access the same names that the member function itself 94 // may access. 95 // This almost implies that the privileges of nesting are transitive. 96 // Technically it says nothing about the local classes of non-member 97 // functions (which can gain privileges through friendship), but we 98 // take that as an oversight. 99 while (true) { 100 // We want to add canonical declarations to the EC lists for 101 // simplicity of checking, but we need to walk up through the 102 // actual current DC chain. Otherwise, something like a local 103 // extern or friend which happens to be the canonical 104 // declaration will really mess us up. 105 106 if (isa<CXXRecordDecl>(DC)) { 107 CXXRecordDecl *Record = cast<CXXRecordDecl>(DC); 108 Records.push_back(Record->getCanonicalDecl()); 109 DC = Record->getDeclContext(); 110 } else if (isa<FunctionDecl>(DC)) { 111 FunctionDecl *Function = cast<FunctionDecl>(DC); 112 Functions.push_back(Function->getCanonicalDecl()); 113 if (Function->getFriendObjectKind()) 114 DC = Function->getLexicalDeclContext(); 115 else 116 DC = Function->getDeclContext(); 117 } else if (DC->isFileContext()) { 118 break; 119 } else { 120 DC = DC->getParent(); 121 } 122 } 123 } 124 125 bool isDependent() const { return Dependent; } 126 127 bool includesClass(const CXXRecordDecl *R) const { 128 R = R->getCanonicalDecl(); 129 return std::find(Records.begin(), Records.end(), R) 130 != Records.end(); 131 } 132 133 /// Retrieves the innermost "useful" context. Can be null if we're 134 /// doing access-control without privileges. 135 DeclContext *getInnerContext() const { 136 return Inner; 137 } 138 139 typedef SmallVectorImpl<CXXRecordDecl*>::const_iterator record_iterator; 140 141 DeclContext *Inner; 142 SmallVector<FunctionDecl*, 4> Functions; 143 SmallVector<CXXRecordDecl*, 4> Records; 144 bool Dependent; 145}; 146 147/// Like sema::AccessedEntity, but kindly lets us scribble all over 148/// it. 149struct AccessTarget : public AccessedEntity { 150 AccessTarget(const AccessedEntity &Entity) 151 : AccessedEntity(Entity) { 152 initialize(); 153 } 154 155 AccessTarget(ASTContext &Context, 156 MemberNonce _, 157 CXXRecordDecl *NamingClass, 158 DeclAccessPair FoundDecl, 159 QualType BaseObjectType) 160 : AccessedEntity(Context.getDiagAllocator(), Member, NamingClass, 161 FoundDecl, BaseObjectType) { 162 initialize(); 163 } 164 165 AccessTarget(ASTContext &Context, 166 BaseNonce _, 167 CXXRecordDecl *BaseClass, 168 CXXRecordDecl *DerivedClass, 169 AccessSpecifier Access) 170 : AccessedEntity(Context.getDiagAllocator(), Base, BaseClass, DerivedClass, 171 Access) { 172 initialize(); 173 } 174 175 bool isInstanceMember() const { 176 return (isMemberAccess() && getTargetDecl()->isCXXInstanceMember()); 177 } 178 179 bool hasInstanceContext() const { 180 return HasInstanceContext; 181 } 182 183 class SavedInstanceContext { 184 public: 185 ~SavedInstanceContext() { 186 Target.HasInstanceContext = Has; 187 } 188 189 private: 190 friend struct AccessTarget; 191 explicit SavedInstanceContext(AccessTarget &Target) 192 : Target(Target), Has(Target.HasInstanceContext) {} 193 AccessTarget &Target; 194 bool Has; 195 }; 196 197 SavedInstanceContext saveInstanceContext() { 198 return SavedInstanceContext(*this); 199 } 200 201 void suppressInstanceContext() { 202 HasInstanceContext = false; 203 } 204 205 const CXXRecordDecl *resolveInstanceContext(Sema &S) const { 206 assert(HasInstanceContext); 207 if (CalculatedInstanceContext) 208 return InstanceContext; 209 210 CalculatedInstanceContext = true; 211 DeclContext *IC = S.computeDeclContext(getBaseObjectType()); 212 InstanceContext = (IC ? cast<CXXRecordDecl>(IC)->getCanonicalDecl() : 0); 213 return InstanceContext; 214 } 215 216 const CXXRecordDecl *getDeclaringClass() const { 217 return DeclaringClass; 218 } 219 220private: 221 void initialize() { 222 HasInstanceContext = (isMemberAccess() && 223 !getBaseObjectType().isNull() && 224 getTargetDecl()->isCXXInstanceMember()); 225 CalculatedInstanceContext = false; 226 InstanceContext = 0; 227 228 if (isMemberAccess()) 229 DeclaringClass = FindDeclaringClass(getTargetDecl()); 230 else 231 DeclaringClass = getBaseClass(); 232 DeclaringClass = DeclaringClass->getCanonicalDecl(); 233 } 234 235 bool HasInstanceContext : 1; 236 mutable bool CalculatedInstanceContext : 1; 237 mutable const CXXRecordDecl *InstanceContext; 238 const CXXRecordDecl *DeclaringClass; 239}; 240 241} 242 243/// Checks whether one class might instantiate to the other. 244static bool MightInstantiateTo(const CXXRecordDecl *From, 245 const CXXRecordDecl *To) { 246 // Declaration names are always preserved by instantiation. 247 if (From->getDeclName() != To->getDeclName()) 248 return false; 249 250 const DeclContext *FromDC = From->getDeclContext()->getPrimaryContext(); 251 const DeclContext *ToDC = To->getDeclContext()->getPrimaryContext(); 252 if (FromDC == ToDC) return true; 253 if (FromDC->isFileContext() || ToDC->isFileContext()) return false; 254 255 // Be conservative. 256 return true; 257} 258 259/// Checks whether one class is derived from another, inclusively. 260/// Properly indicates when it couldn't be determined due to 261/// dependence. 262/// 263/// This should probably be donated to AST or at least Sema. 264static AccessResult IsDerivedFromInclusive(const CXXRecordDecl *Derived, 265 const CXXRecordDecl *Target) { 266 assert(Derived->getCanonicalDecl() == Derived); 267 assert(Target->getCanonicalDecl() == Target); 268 269 if (Derived == Target) return AR_accessible; 270 271 bool CheckDependent = Derived->isDependentContext(); 272 if (CheckDependent && MightInstantiateTo(Derived, Target)) 273 return AR_dependent; 274 275 AccessResult OnFailure = AR_inaccessible; 276 SmallVector<const CXXRecordDecl*, 8> Queue; // actually a stack 277 278 while (true) { 279 if (Derived->isDependentContext() && !Derived->hasDefinition()) 280 return AR_dependent; 281 282 for (CXXRecordDecl::base_class_const_iterator 283 I = Derived->bases_begin(), E = Derived->bases_end(); I != E; ++I) { 284 285 const CXXRecordDecl *RD; 286 287 QualType T = I->getType(); 288 if (const RecordType *RT = T->getAs<RecordType>()) { 289 RD = cast<CXXRecordDecl>(RT->getDecl()); 290 } else if (const InjectedClassNameType *IT 291 = T->getAs<InjectedClassNameType>()) { 292 RD = IT->getDecl(); 293 } else { 294 assert(T->isDependentType() && "non-dependent base wasn't a record?"); 295 OnFailure = AR_dependent; 296 continue; 297 } 298 299 RD = RD->getCanonicalDecl(); 300 if (RD == Target) return AR_accessible; 301 if (CheckDependent && MightInstantiateTo(RD, Target)) 302 OnFailure = AR_dependent; 303 304 Queue.push_back(RD); 305 } 306 307 if (Queue.empty()) break; 308 309 Derived = Queue.back(); 310 Queue.pop_back(); 311 } 312 313 return OnFailure; 314} 315 316 317static bool MightInstantiateTo(Sema &S, DeclContext *Context, 318 DeclContext *Friend) { 319 if (Friend == Context) 320 return true; 321 322 assert(!Friend->isDependentContext() && 323 "can't handle friends with dependent contexts here"); 324 325 if (!Context->isDependentContext()) 326 return false; 327 328 if (Friend->isFileContext()) 329 return false; 330 331 // TODO: this is very conservative 332 return true; 333} 334 335// Asks whether the type in 'context' can ever instantiate to the type 336// in 'friend'. 337static bool MightInstantiateTo(Sema &S, CanQualType Context, CanQualType Friend) { 338 if (Friend == Context) 339 return true; 340 341 if (!Friend->isDependentType() && !Context->isDependentType()) 342 return false; 343 344 // TODO: this is very conservative. 345 return true; 346} 347 348static bool MightInstantiateTo(Sema &S, 349 FunctionDecl *Context, 350 FunctionDecl *Friend) { 351 if (Context->getDeclName() != Friend->getDeclName()) 352 return false; 353 354 if (!MightInstantiateTo(S, 355 Context->getDeclContext(), 356 Friend->getDeclContext())) 357 return false; 358 359 CanQual<FunctionProtoType> FriendTy 360 = S.Context.getCanonicalType(Friend->getType()) 361 ->getAs<FunctionProtoType>(); 362 CanQual<FunctionProtoType> ContextTy 363 = S.Context.getCanonicalType(Context->getType()) 364 ->getAs<FunctionProtoType>(); 365 366 // There isn't any way that I know of to add qualifiers 367 // during instantiation. 368 if (FriendTy.getQualifiers() != ContextTy.getQualifiers()) 369 return false; 370 371 if (FriendTy->getNumArgs() != ContextTy->getNumArgs()) 372 return false; 373 374 if (!MightInstantiateTo(S, 375 ContextTy->getResultType(), 376 FriendTy->getResultType())) 377 return false; 378 379 for (unsigned I = 0, E = FriendTy->getNumArgs(); I != E; ++I) 380 if (!MightInstantiateTo(S, 381 ContextTy->getArgType(I), 382 FriendTy->getArgType(I))) 383 return false; 384 385 return true; 386} 387 388static bool MightInstantiateTo(Sema &S, 389 FunctionTemplateDecl *Context, 390 FunctionTemplateDecl *Friend) { 391 return MightInstantiateTo(S, 392 Context->getTemplatedDecl(), 393 Friend->getTemplatedDecl()); 394} 395 396static AccessResult MatchesFriend(Sema &S, 397 const EffectiveContext &EC, 398 const CXXRecordDecl *Friend) { 399 if (EC.includesClass(Friend)) 400 return AR_accessible; 401 402 if (EC.isDependent()) { 403 CanQualType FriendTy 404 = S.Context.getCanonicalType(S.Context.getTypeDeclType(Friend)); 405 406 for (EffectiveContext::record_iterator 407 I = EC.Records.begin(), E = EC.Records.end(); I != E; ++I) { 408 CanQualType ContextTy 409 = S.Context.getCanonicalType(S.Context.getTypeDeclType(*I)); 410 if (MightInstantiateTo(S, ContextTy, FriendTy)) 411 return AR_dependent; 412 } 413 } 414 415 return AR_inaccessible; 416} 417 418static AccessResult MatchesFriend(Sema &S, 419 const EffectiveContext &EC, 420 CanQualType Friend) { 421 if (const RecordType *RT = Friend->getAs<RecordType>()) 422 return MatchesFriend(S, EC, cast<CXXRecordDecl>(RT->getDecl())); 423 424 // TODO: we can do better than this 425 if (Friend->isDependentType()) 426 return AR_dependent; 427 428 return AR_inaccessible; 429} 430 431/// Determines whether the given friend class template matches 432/// anything in the effective context. 433static AccessResult MatchesFriend(Sema &S, 434 const EffectiveContext &EC, 435 ClassTemplateDecl *Friend) { 436 AccessResult OnFailure = AR_inaccessible; 437 438 // Check whether the friend is the template of a class in the 439 // context chain. 440 for (SmallVectorImpl<CXXRecordDecl*>::const_iterator 441 I = EC.Records.begin(), E = EC.Records.end(); I != E; ++I) { 442 CXXRecordDecl *Record = *I; 443 444 // Figure out whether the current class has a template: 445 ClassTemplateDecl *CTD; 446 447 // A specialization of the template... 448 if (isa<ClassTemplateSpecializationDecl>(Record)) { 449 CTD = cast<ClassTemplateSpecializationDecl>(Record) 450 ->getSpecializedTemplate(); 451 452 // ... or the template pattern itself. 453 } else { 454 CTD = Record->getDescribedClassTemplate(); 455 if (!CTD) continue; 456 } 457 458 // It's a match. 459 if (Friend == CTD->getCanonicalDecl()) 460 return AR_accessible; 461 462 // If the context isn't dependent, it can't be a dependent match. 463 if (!EC.isDependent()) 464 continue; 465 466 // If the template names don't match, it can't be a dependent 467 // match. 468 if (CTD->getDeclName() != Friend->getDeclName()) 469 continue; 470 471 // If the class's context can't instantiate to the friend's 472 // context, it can't be a dependent match. 473 if (!MightInstantiateTo(S, CTD->getDeclContext(), 474 Friend->getDeclContext())) 475 continue; 476 477 // Otherwise, it's a dependent match. 478 OnFailure = AR_dependent; 479 } 480 481 return OnFailure; 482} 483 484/// Determines whether the given friend function matches anything in 485/// the effective context. 486static AccessResult MatchesFriend(Sema &S, 487 const EffectiveContext &EC, 488 FunctionDecl *Friend) { 489 AccessResult OnFailure = AR_inaccessible; 490 491 for (SmallVectorImpl<FunctionDecl*>::const_iterator 492 I = EC.Functions.begin(), E = EC.Functions.end(); I != E; ++I) { 493 if (Friend == *I) 494 return AR_accessible; 495 496 if (EC.isDependent() && MightInstantiateTo(S, *I, Friend)) 497 OnFailure = AR_dependent; 498 } 499 500 return OnFailure; 501} 502 503/// Determines whether the given friend function template matches 504/// anything in the effective context. 505static AccessResult MatchesFriend(Sema &S, 506 const EffectiveContext &EC, 507 FunctionTemplateDecl *Friend) { 508 if (EC.Functions.empty()) return AR_inaccessible; 509 510 AccessResult OnFailure = AR_inaccessible; 511 512 for (SmallVectorImpl<FunctionDecl*>::const_iterator 513 I = EC.Functions.begin(), E = EC.Functions.end(); I != E; ++I) { 514 515 FunctionTemplateDecl *FTD = (*I)->getPrimaryTemplate(); 516 if (!FTD) 517 FTD = (*I)->getDescribedFunctionTemplate(); 518 if (!FTD) 519 continue; 520 521 FTD = FTD->getCanonicalDecl(); 522 523 if (Friend == FTD) 524 return AR_accessible; 525 526 if (EC.isDependent() && MightInstantiateTo(S, FTD, Friend)) 527 OnFailure = AR_dependent; 528 } 529 530 return OnFailure; 531} 532 533/// Determines whether the given friend declaration matches anything 534/// in the effective context. 535static AccessResult MatchesFriend(Sema &S, 536 const EffectiveContext &EC, 537 FriendDecl *FriendD) { 538 // Whitelist accesses if there's an invalid or unsupported friend 539 // declaration. 540 if (FriendD->isInvalidDecl() || FriendD->isUnsupportedFriend()) 541 return AR_accessible; 542 543 if (TypeSourceInfo *T = FriendD->getFriendType()) 544 return MatchesFriend(S, EC, T->getType()->getCanonicalTypeUnqualified()); 545 546 NamedDecl *Friend 547 = cast<NamedDecl>(FriendD->getFriendDecl()->getCanonicalDecl()); 548 549 // FIXME: declarations with dependent or templated scope. 550 551 if (isa<ClassTemplateDecl>(Friend)) 552 return MatchesFriend(S, EC, cast<ClassTemplateDecl>(Friend)); 553 554 if (isa<FunctionTemplateDecl>(Friend)) 555 return MatchesFriend(S, EC, cast<FunctionTemplateDecl>(Friend)); 556 557 if (isa<CXXRecordDecl>(Friend)) 558 return MatchesFriend(S, EC, cast<CXXRecordDecl>(Friend)); 559 560 assert(isa<FunctionDecl>(Friend) && "unknown friend decl kind"); 561 return MatchesFriend(S, EC, cast<FunctionDecl>(Friend)); 562} 563 564static AccessResult GetFriendKind(Sema &S, 565 const EffectiveContext &EC, 566 const CXXRecordDecl *Class) { 567 AccessResult OnFailure = AR_inaccessible; 568 569 // Okay, check friends. 570 for (CXXRecordDecl::friend_iterator I = Class->friend_begin(), 571 E = Class->friend_end(); I != E; ++I) { 572 FriendDecl *Friend = *I; 573 574 switch (MatchesFriend(S, EC, Friend)) { 575 case AR_accessible: 576 return AR_accessible; 577 578 case AR_inaccessible: 579 continue; 580 581 case AR_dependent: 582 OnFailure = AR_dependent; 583 break; 584 } 585 } 586 587 // That's it, give up. 588 return OnFailure; 589} 590 591namespace { 592 593/// A helper class for checking for a friend which will grant access 594/// to a protected instance member. 595struct ProtectedFriendContext { 596 Sema &S; 597 const EffectiveContext &EC; 598 const CXXRecordDecl *NamingClass; 599 bool CheckDependent; 600 bool EverDependent; 601 602 /// The path down to the current base class. 603 SmallVector<const CXXRecordDecl*, 20> CurPath; 604 605 ProtectedFriendContext(Sema &S, const EffectiveContext &EC, 606 const CXXRecordDecl *InstanceContext, 607 const CXXRecordDecl *NamingClass) 608 : S(S), EC(EC), NamingClass(NamingClass), 609 CheckDependent(InstanceContext->isDependentContext() || 610 NamingClass->isDependentContext()), 611 EverDependent(false) {} 612 613 /// Check classes in the current path for friendship, starting at 614 /// the given index. 615 bool checkFriendshipAlongPath(unsigned I) { 616 assert(I < CurPath.size()); 617 for (unsigned E = CurPath.size(); I != E; ++I) { 618 switch (GetFriendKind(S, EC, CurPath[I])) { 619 case AR_accessible: return true; 620 case AR_inaccessible: continue; 621 case AR_dependent: EverDependent = true; continue; 622 } 623 } 624 return false; 625 } 626 627 /// Perform a search starting at the given class. 628 /// 629 /// PrivateDepth is the index of the last (least derived) class 630 /// along the current path such that a notional public member of 631 /// the final class in the path would have access in that class. 632 bool findFriendship(const CXXRecordDecl *Cur, unsigned PrivateDepth) { 633 // If we ever reach the naming class, check the current path for 634 // friendship. We can also stop recursing because we obviously 635 // won't find the naming class there again. 636 if (Cur == NamingClass) 637 return checkFriendshipAlongPath(PrivateDepth); 638 639 if (CheckDependent && MightInstantiateTo(Cur, NamingClass)) 640 EverDependent = true; 641 642 // Recurse into the base classes. 643 for (CXXRecordDecl::base_class_const_iterator 644 I = Cur->bases_begin(), E = Cur->bases_end(); I != E; ++I) { 645 646 // If this is private inheritance, then a public member of the 647 // base will not have any access in classes derived from Cur. 648 unsigned BasePrivateDepth = PrivateDepth; 649 if (I->getAccessSpecifier() == AS_private) 650 BasePrivateDepth = CurPath.size() - 1; 651 652 const CXXRecordDecl *RD; 653 654 QualType T = I->getType(); 655 if (const RecordType *RT = T->getAs<RecordType>()) { 656 RD = cast<CXXRecordDecl>(RT->getDecl()); 657 } else if (const InjectedClassNameType *IT 658 = T->getAs<InjectedClassNameType>()) { 659 RD = IT->getDecl(); 660 } else { 661 assert(T->isDependentType() && "non-dependent base wasn't a record?"); 662 EverDependent = true; 663 continue; 664 } 665 666 // Recurse. We don't need to clean up if this returns true. 667 CurPath.push_back(RD); 668 if (findFriendship(RD->getCanonicalDecl(), BasePrivateDepth)) 669 return true; 670 CurPath.pop_back(); 671 } 672 673 return false; 674 } 675 676 bool findFriendship(const CXXRecordDecl *Cur) { 677 assert(CurPath.empty()); 678 CurPath.push_back(Cur); 679 return findFriendship(Cur, 0); 680 } 681}; 682} 683 684/// Search for a class P that EC is a friend of, under the constraint 685/// InstanceContext <= P 686/// if InstanceContext exists, or else 687/// NamingClass <= P 688/// and with the additional restriction that a protected member of 689/// NamingClass would have some natural access in P, which implicitly 690/// imposes the constraint that P <= NamingClass. 691/// 692/// This isn't quite the condition laid out in the standard. 693/// Instead of saying that a notional protected member of NamingClass 694/// would have to have some natural access in P, it says the actual 695/// target has to have some natural access in P, which opens up the 696/// possibility that the target (which is not necessarily a member 697/// of NamingClass) might be more accessible along some path not 698/// passing through it. That's really a bad idea, though, because it 699/// introduces two problems: 700/// - Most importantly, it breaks encapsulation because you can 701/// access a forbidden base class's members by directly subclassing 702/// it elsewhere. 703/// - It also makes access substantially harder to compute because it 704/// breaks the hill-climbing algorithm: knowing that the target is 705/// accessible in some base class would no longer let you change 706/// the question solely to whether the base class is accessible, 707/// because the original target might have been more accessible 708/// because of crazy subclassing. 709/// So we don't implement that. 710static AccessResult GetProtectedFriendKind(Sema &S, const EffectiveContext &EC, 711 const CXXRecordDecl *InstanceContext, 712 const CXXRecordDecl *NamingClass) { 713 assert(InstanceContext == 0 || 714 InstanceContext->getCanonicalDecl() == InstanceContext); 715 assert(NamingClass->getCanonicalDecl() == NamingClass); 716 717 // If we don't have an instance context, our constraints give us 718 // that NamingClass <= P <= NamingClass, i.e. P == NamingClass. 719 // This is just the usual friendship check. 720 if (!InstanceContext) return GetFriendKind(S, EC, NamingClass); 721 722 ProtectedFriendContext PRC(S, EC, InstanceContext, NamingClass); 723 if (PRC.findFriendship(InstanceContext)) return AR_accessible; 724 if (PRC.EverDependent) return AR_dependent; 725 return AR_inaccessible; 726} 727 728static AccessResult HasAccess(Sema &S, 729 const EffectiveContext &EC, 730 const CXXRecordDecl *NamingClass, 731 AccessSpecifier Access, 732 const AccessTarget &Target) { 733 assert(NamingClass->getCanonicalDecl() == NamingClass && 734 "declaration should be canonicalized before being passed here"); 735 736 if (Access == AS_public) return AR_accessible; 737 assert(Access == AS_private || Access == AS_protected); 738 739 AccessResult OnFailure = AR_inaccessible; 740 741 for (EffectiveContext::record_iterator 742 I = EC.Records.begin(), E = EC.Records.end(); I != E; ++I) { 743 // All the declarations in EC have been canonicalized, so pointer 744 // equality from this point on will work fine. 745 const CXXRecordDecl *ECRecord = *I; 746 747 // [B2] and [M2] 748 if (Access == AS_private) { 749 if (ECRecord == NamingClass) 750 return AR_accessible; 751 752 if (EC.isDependent() && MightInstantiateTo(ECRecord, NamingClass)) 753 OnFailure = AR_dependent; 754 755 // [B3] and [M3] 756 } else { 757 assert(Access == AS_protected); 758 switch (IsDerivedFromInclusive(ECRecord, NamingClass)) { 759 case AR_accessible: break; 760 case AR_inaccessible: continue; 761 case AR_dependent: OnFailure = AR_dependent; continue; 762 } 763 764 // C++ [class.protected]p1: 765 // An additional access check beyond those described earlier in 766 // [class.access] is applied when a non-static data member or 767 // non-static member function is a protected member of its naming 768 // class. As described earlier, access to a protected member is 769 // granted because the reference occurs in a friend or member of 770 // some class C. If the access is to form a pointer to member, 771 // the nested-name-specifier shall name C or a class derived from 772 // C. All other accesses involve a (possibly implicit) object 773 // expression. In this case, the class of the object expression 774 // shall be C or a class derived from C. 775 // 776 // We interpret this as a restriction on [M3]. 777 778 // In this part of the code, 'C' is just our context class ECRecord. 779 780 // These rules are different if we don't have an instance context. 781 if (!Target.hasInstanceContext()) { 782 // If it's not an instance member, these restrictions don't apply. 783 if (!Target.isInstanceMember()) return AR_accessible; 784 785 // If it's an instance member, use the pointer-to-member rule 786 // that the naming class has to be derived from the effective 787 // context. 788 789 // Emulate a MSVC bug where the creation of pointer-to-member 790 // to protected member of base class is allowed but only from 791 // static member functions. 792 if (S.getLangOpts().MicrosoftMode && !EC.Functions.empty()) 793 if (CXXMethodDecl* MD = dyn_cast<CXXMethodDecl>(EC.Functions.front())) 794 if (MD->isStatic()) return AR_accessible; 795 796 // Despite the standard's confident wording, there is a case 797 // where you can have an instance member that's neither in a 798 // pointer-to-member expression nor in a member access: when 799 // it names a field in an unevaluated context that can't be an 800 // implicit member. Pending clarification, we just apply the 801 // same naming-class restriction here. 802 // FIXME: we're probably not correctly adding the 803 // protected-member restriction when we retroactively convert 804 // an expression to being evaluated. 805 806 // We know that ECRecord derives from NamingClass. The 807 // restriction says to check whether NamingClass derives from 808 // ECRecord, but that's not really necessary: two distinct 809 // classes can't be recursively derived from each other. So 810 // along this path, we just need to check whether the classes 811 // are equal. 812 if (NamingClass == ECRecord) return AR_accessible; 813 814 // Otherwise, this context class tells us nothing; on to the next. 815 continue; 816 } 817 818 assert(Target.isInstanceMember()); 819 820 const CXXRecordDecl *InstanceContext = Target.resolveInstanceContext(S); 821 if (!InstanceContext) { 822 OnFailure = AR_dependent; 823 continue; 824 } 825 826 switch (IsDerivedFromInclusive(InstanceContext, ECRecord)) { 827 case AR_accessible: return AR_accessible; 828 case AR_inaccessible: continue; 829 case AR_dependent: OnFailure = AR_dependent; continue; 830 } 831 } 832 } 833 834 // [M3] and [B3] say that, if the target is protected in N, we grant 835 // access if the access occurs in a friend or member of some class P 836 // that's a subclass of N and where the target has some natural 837 // access in P. The 'member' aspect is easy to handle because P 838 // would necessarily be one of the effective-context records, and we 839 // address that above. The 'friend' aspect is completely ridiculous 840 // to implement because there are no restrictions at all on P 841 // *unless* the [class.protected] restriction applies. If it does, 842 // however, we should ignore whether the naming class is a friend, 843 // and instead rely on whether any potential P is a friend. 844 if (Access == AS_protected && Target.isInstanceMember()) { 845 // Compute the instance context if possible. 846 const CXXRecordDecl *InstanceContext = 0; 847 if (Target.hasInstanceContext()) { 848 InstanceContext = Target.resolveInstanceContext(S); 849 if (!InstanceContext) return AR_dependent; 850 } 851 852 switch (GetProtectedFriendKind(S, EC, InstanceContext, NamingClass)) { 853 case AR_accessible: return AR_accessible; 854 case AR_inaccessible: return OnFailure; 855 case AR_dependent: return AR_dependent; 856 } 857 llvm_unreachable("impossible friendship kind"); 858 } 859 860 switch (GetFriendKind(S, EC, NamingClass)) { 861 case AR_accessible: return AR_accessible; 862 case AR_inaccessible: return OnFailure; 863 case AR_dependent: return AR_dependent; 864 } 865 866 // Silence bogus warnings 867 llvm_unreachable("impossible friendship kind"); 868} 869 870/// Finds the best path from the naming class to the declaring class, 871/// taking friend declarations into account. 872/// 873/// C++0x [class.access.base]p5: 874/// A member m is accessible at the point R when named in class N if 875/// [M1] m as a member of N is public, or 876/// [M2] m as a member of N is private, and R occurs in a member or 877/// friend of class N, or 878/// [M3] m as a member of N is protected, and R occurs in a member or 879/// friend of class N, or in a member or friend of a class P 880/// derived from N, where m as a member of P is public, private, 881/// or protected, or 882/// [M4] there exists a base class B of N that is accessible at R, and 883/// m is accessible at R when named in class B. 884/// 885/// C++0x [class.access.base]p4: 886/// A base class B of N is accessible at R, if 887/// [B1] an invented public member of B would be a public member of N, or 888/// [B2] R occurs in a member or friend of class N, and an invented public 889/// member of B would be a private or protected member of N, or 890/// [B3] R occurs in a member or friend of a class P derived from N, and an 891/// invented public member of B would be a private or protected member 892/// of P, or 893/// [B4] there exists a class S such that B is a base class of S accessible 894/// at R and S is a base class of N accessible at R. 895/// 896/// Along a single inheritance path we can restate both of these 897/// iteratively: 898/// 899/// First, we note that M1-4 are equivalent to B1-4 if the member is 900/// treated as a notional base of its declaring class with inheritance 901/// access equivalent to the member's access. Therefore we need only 902/// ask whether a class B is accessible from a class N in context R. 903/// 904/// Let B_1 .. B_n be the inheritance path in question (i.e. where 905/// B_1 = N, B_n = B, and for all i, B_{i+1} is a direct base class of 906/// B_i). For i in 1..n, we will calculate ACAB(i), the access to the 907/// closest accessible base in the path: 908/// Access(a, b) = (* access on the base specifier from a to b *) 909/// Merge(a, forbidden) = forbidden 910/// Merge(a, private) = forbidden 911/// Merge(a, b) = min(a,b) 912/// Accessible(c, forbidden) = false 913/// Accessible(c, private) = (R is c) || IsFriend(c, R) 914/// Accessible(c, protected) = (R derived from c) || IsFriend(c, R) 915/// Accessible(c, public) = true 916/// ACAB(n) = public 917/// ACAB(i) = 918/// let AccessToBase = Merge(Access(B_i, B_{i+1}), ACAB(i+1)) in 919/// if Accessible(B_i, AccessToBase) then public else AccessToBase 920/// 921/// B is an accessible base of N at R iff ACAB(1) = public. 922/// 923/// \param FinalAccess the access of the "final step", or AS_public if 924/// there is no final step. 925/// \return null if friendship is dependent 926static CXXBasePath *FindBestPath(Sema &S, 927 const EffectiveContext &EC, 928 AccessTarget &Target, 929 AccessSpecifier FinalAccess, 930 CXXBasePaths &Paths) { 931 // Derive the paths to the desired base. 932 const CXXRecordDecl *Derived = Target.getNamingClass(); 933 const CXXRecordDecl *Base = Target.getDeclaringClass(); 934 935 // FIXME: fail correctly when there are dependent paths. 936 bool isDerived = Derived->isDerivedFrom(const_cast<CXXRecordDecl*>(Base), 937 Paths); 938 assert(isDerived && "derived class not actually derived from base"); 939 (void) isDerived; 940 941 CXXBasePath *BestPath = 0; 942 943 assert(FinalAccess != AS_none && "forbidden access after declaring class"); 944 945 bool AnyDependent = false; 946 947 // Derive the friend-modified access along each path. 948 for (CXXBasePaths::paths_iterator PI = Paths.begin(), PE = Paths.end(); 949 PI != PE; ++PI) { 950 AccessTarget::SavedInstanceContext _ = Target.saveInstanceContext(); 951 952 // Walk through the path backwards. 953 AccessSpecifier PathAccess = FinalAccess; 954 CXXBasePath::iterator I = PI->end(), E = PI->begin(); 955 while (I != E) { 956 --I; 957 958 assert(PathAccess != AS_none); 959 960 // If the declaration is a private member of a base class, there 961 // is no level of friendship in derived classes that can make it 962 // accessible. 963 if (PathAccess == AS_private) { 964 PathAccess = AS_none; 965 break; 966 } 967 968 const CXXRecordDecl *NC = I->Class->getCanonicalDecl(); 969 970 AccessSpecifier BaseAccess = I->Base->getAccessSpecifier(); 971 PathAccess = std::max(PathAccess, BaseAccess); 972 973 switch (HasAccess(S, EC, NC, PathAccess, Target)) { 974 case AR_inaccessible: break; 975 case AR_accessible: 976 PathAccess = AS_public; 977 978 // Future tests are not against members and so do not have 979 // instance context. 980 Target.suppressInstanceContext(); 981 break; 982 case AR_dependent: 983 AnyDependent = true; 984 goto Next; 985 } 986 } 987 988 // Note that we modify the path's Access field to the 989 // friend-modified access. 990 if (BestPath == 0 || PathAccess < BestPath->Access) { 991 BestPath = &*PI; 992 BestPath->Access = PathAccess; 993 994 // Short-circuit if we found a public path. 995 if (BestPath->Access == AS_public) 996 return BestPath; 997 } 998 999 Next: ; 1000 } 1001 1002 assert((!BestPath || BestPath->Access != AS_public) && 1003 "fell out of loop with public path"); 1004 1005 // We didn't find a public path, but at least one path was subject 1006 // to dependent friendship, so delay the check. 1007 if (AnyDependent) 1008 return 0; 1009 1010 return BestPath; 1011} 1012 1013/// Given that an entity has protected natural access, check whether 1014/// access might be denied because of the protected member access 1015/// restriction. 1016/// 1017/// \return true if a note was emitted 1018static bool TryDiagnoseProtectedAccess(Sema &S, const EffectiveContext &EC, 1019 AccessTarget &Target) { 1020 // Only applies to instance accesses. 1021 if (!Target.isInstanceMember()) 1022 return false; 1023 1024 assert(Target.isMemberAccess()); 1025 1026 const CXXRecordDecl *NamingClass = Target.getNamingClass(); 1027 NamingClass = NamingClass->getCanonicalDecl(); 1028 1029 for (EffectiveContext::record_iterator 1030 I = EC.Records.begin(), E = EC.Records.end(); I != E; ++I) { 1031 const CXXRecordDecl *ECRecord = *I; 1032 switch (IsDerivedFromInclusive(ECRecord, NamingClass)) { 1033 case AR_accessible: break; 1034 case AR_inaccessible: continue; 1035 case AR_dependent: continue; 1036 } 1037 1038 // The effective context is a subclass of the declaring class. 1039 // Check whether the [class.protected] restriction is limiting 1040 // access. 1041 1042 // To get this exactly right, this might need to be checked more 1043 // holistically; it's not necessarily the case that gaining 1044 // access here would grant us access overall. 1045 1046 NamedDecl *D = Target.getTargetDecl(); 1047 1048 // If we don't have an instance context, [class.protected] says the 1049 // naming class has to equal the context class. 1050 if (!Target.hasInstanceContext()) { 1051 // If it does, the restriction doesn't apply. 1052 if (NamingClass == ECRecord) continue; 1053 1054 // TODO: it would be great to have a fixit here, since this is 1055 // such an obvious error. 1056 S.Diag(D->getLocation(), diag::note_access_protected_restricted_noobject) 1057 << S.Context.getTypeDeclType(ECRecord); 1058 return true; 1059 } 1060 1061 const CXXRecordDecl *InstanceContext = Target.resolveInstanceContext(S); 1062 assert(InstanceContext && "diagnosing dependent access"); 1063 1064 switch (IsDerivedFromInclusive(InstanceContext, ECRecord)) { 1065 case AR_accessible: continue; 1066 case AR_dependent: continue; 1067 case AR_inaccessible: 1068 break; 1069 } 1070 1071 // Okay, the restriction seems to be what's limiting us. 1072 1073 // Use a special diagnostic for constructors and destructors. 1074 if (isa<CXXConstructorDecl>(D) || isa<CXXDestructorDecl>(D) || 1075 (isa<FunctionTemplateDecl>(D) && 1076 isa<CXXConstructorDecl>( 1077 cast<FunctionTemplateDecl>(D)->getTemplatedDecl()))) { 1078 S.Diag(D->getLocation(), diag::note_access_protected_restricted_ctordtor) 1079 << isa<CXXDestructorDecl>(D); 1080 return true; 1081 } 1082 1083 // Otherwise, use the generic diagnostic. 1084 S.Diag(D->getLocation(), diag::note_access_protected_restricted_object) 1085 << S.Context.getTypeDeclType(ECRecord); 1086 return true; 1087 } 1088 1089 return false; 1090} 1091 1092/// Diagnose the path which caused the given declaration or base class 1093/// to become inaccessible. 1094static void DiagnoseAccessPath(Sema &S, 1095 const EffectiveContext &EC, 1096 AccessTarget &Entity) { 1097 AccessSpecifier Access = Entity.getAccess(); 1098 1099 NamedDecl *D = (Entity.isMemberAccess() ? Entity.getTargetDecl() : 0); 1100 const CXXRecordDecl *DeclaringClass = Entity.getDeclaringClass(); 1101 1102 // Easy case: the decl's natural access determined its path access. 1103 // We have to check against AS_private here in case Access is AS_none, 1104 // indicating a non-public member of a private base class. 1105 if (D && (Access == D->getAccess() || D->getAccess() == AS_private)) { 1106 switch (HasAccess(S, EC, DeclaringClass, D->getAccess(), Entity)) { 1107 case AR_inaccessible: { 1108 if (Access == AS_protected && 1109 TryDiagnoseProtectedAccess(S, EC, Entity)) 1110 return; 1111 1112 // Find an original declaration. 1113 while (D->isOutOfLine()) { 1114 NamedDecl *PrevDecl = 0; 1115 if (VarDecl *VD = dyn_cast<VarDecl>(D)) 1116 PrevDecl = VD->getPreviousDecl(); 1117 else if (FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 1118 PrevDecl = FD->getPreviousDecl(); 1119 else if (TypedefNameDecl *TND = dyn_cast<TypedefNameDecl>(D)) 1120 PrevDecl = TND->getPreviousDecl(); 1121 else if (TagDecl *TD = dyn_cast<TagDecl>(D)) { 1122 if (isa<RecordDecl>(D) && cast<RecordDecl>(D)->isInjectedClassName()) 1123 break; 1124 PrevDecl = TD->getPreviousDecl(); 1125 } 1126 if (!PrevDecl) break; 1127 D = PrevDecl; 1128 } 1129 1130 CXXRecordDecl *DeclaringClass = FindDeclaringClass(D); 1131 Decl *ImmediateChild; 1132 if (D->getDeclContext() == DeclaringClass) 1133 ImmediateChild = D; 1134 else { 1135 DeclContext *DC = D->getDeclContext(); 1136 while (DC->getParent() != DeclaringClass) 1137 DC = DC->getParent(); 1138 ImmediateChild = cast<Decl>(DC); 1139 } 1140 1141 // Check whether there's an AccessSpecDecl preceding this in the 1142 // chain of the DeclContext. 1143 bool Implicit = true; 1144 for (CXXRecordDecl::decl_iterator 1145 I = DeclaringClass->decls_begin(), E = DeclaringClass->decls_end(); 1146 I != E; ++I) { 1147 if (*I == ImmediateChild) break; 1148 if (isa<AccessSpecDecl>(*I)) { 1149 Implicit = false; 1150 break; 1151 } 1152 } 1153 1154 S.Diag(D->getLocation(), diag::note_access_natural) 1155 << (unsigned) (Access == AS_protected) 1156 << Implicit; 1157 return; 1158 } 1159 1160 case AR_accessible: break; 1161 1162 case AR_dependent: 1163 llvm_unreachable("can't diagnose dependent access failures"); 1164 } 1165 } 1166 1167 CXXBasePaths Paths; 1168 CXXBasePath &Path = *FindBestPath(S, EC, Entity, AS_public, Paths); 1169 1170 CXXBasePath::iterator I = Path.end(), E = Path.begin(); 1171 while (I != E) { 1172 --I; 1173 1174 const CXXBaseSpecifier *BS = I->Base; 1175 AccessSpecifier BaseAccess = BS->getAccessSpecifier(); 1176 1177 // If this is public inheritance, or the derived class is a friend, 1178 // skip this step. 1179 if (BaseAccess == AS_public) 1180 continue; 1181 1182 switch (GetFriendKind(S, EC, I->Class)) { 1183 case AR_accessible: continue; 1184 case AR_inaccessible: break; 1185 case AR_dependent: 1186 llvm_unreachable("can't diagnose dependent access failures"); 1187 } 1188 1189 // Check whether this base specifier is the tighest point 1190 // constraining access. We have to check against AS_private for 1191 // the same reasons as above. 1192 if (BaseAccess == AS_private || BaseAccess >= Access) { 1193 1194 // We're constrained by inheritance, but we want to say 1195 // "declared private here" if we're diagnosing a hierarchy 1196 // conversion and this is the final step. 1197 unsigned diagnostic; 1198 if (D) diagnostic = diag::note_access_constrained_by_path; 1199 else if (I + 1 == Path.end()) diagnostic = diag::note_access_natural; 1200 else diagnostic = diag::note_access_constrained_by_path; 1201 1202 S.Diag(BS->getSourceRange().getBegin(), diagnostic) 1203 << BS->getSourceRange() 1204 << (BaseAccess == AS_protected) 1205 << (BS->getAccessSpecifierAsWritten() == AS_none); 1206 1207 if (D) 1208 S.Diag(D->getLocation(), diag::note_field_decl); 1209 1210 return; 1211 } 1212 } 1213 1214 llvm_unreachable("access not apparently constrained by path"); 1215} 1216 1217static void DiagnoseBadAccess(Sema &S, SourceLocation Loc, 1218 const EffectiveContext &EC, 1219 AccessTarget &Entity) { 1220 const CXXRecordDecl *NamingClass = Entity.getNamingClass(); 1221 const CXXRecordDecl *DeclaringClass = Entity.getDeclaringClass(); 1222 NamedDecl *D = (Entity.isMemberAccess() ? Entity.getTargetDecl() : 0); 1223 1224 S.Diag(Loc, Entity.getDiag()) 1225 << (Entity.getAccess() == AS_protected) 1226 << (D ? D->getDeclName() : DeclarationName()) 1227 << S.Context.getTypeDeclType(NamingClass) 1228 << S.Context.getTypeDeclType(DeclaringClass); 1229 DiagnoseAccessPath(S, EC, Entity); 1230} 1231 1232/// MSVC has a bug where if during an using declaration name lookup, 1233/// the declaration found is unaccessible (private) and that declaration 1234/// was bring into scope via another using declaration whose target 1235/// declaration is accessible (public) then no error is generated. 1236/// Example: 1237/// class A { 1238/// public: 1239/// int f(); 1240/// }; 1241/// class B : public A { 1242/// private: 1243/// using A::f; 1244/// }; 1245/// class C : public B { 1246/// private: 1247/// using B::f; 1248/// }; 1249/// 1250/// Here, B::f is private so this should fail in Standard C++, but 1251/// because B::f refers to A::f which is public MSVC accepts it. 1252static bool IsMicrosoftUsingDeclarationAccessBug(Sema& S, 1253 SourceLocation AccessLoc, 1254 AccessTarget &Entity) { 1255 if (UsingShadowDecl *Shadow = 1256 dyn_cast<UsingShadowDecl>(Entity.getTargetDecl())) { 1257 const NamedDecl *OrigDecl = Entity.getTargetDecl()->getUnderlyingDecl(); 1258 if (Entity.getTargetDecl()->getAccess() == AS_private && 1259 (OrigDecl->getAccess() == AS_public || 1260 OrigDecl->getAccess() == AS_protected)) { 1261 S.Diag(AccessLoc, diag::ext_ms_using_declaration_inaccessible) 1262 << Shadow->getUsingDecl()->getQualifiedNameAsString() 1263 << OrigDecl->getQualifiedNameAsString(); 1264 return true; 1265 } 1266 } 1267 return false; 1268} 1269 1270/// Determines whether the accessed entity is accessible. Public members 1271/// have been weeded out by this point. 1272static AccessResult IsAccessible(Sema &S, 1273 const EffectiveContext &EC, 1274 AccessTarget &Entity) { 1275 // Determine the actual naming class. 1276 CXXRecordDecl *NamingClass = Entity.getNamingClass(); 1277 while (NamingClass->isAnonymousStructOrUnion()) 1278 NamingClass = cast<CXXRecordDecl>(NamingClass->getParent()); 1279 NamingClass = NamingClass->getCanonicalDecl(); 1280 1281 AccessSpecifier UnprivilegedAccess = Entity.getAccess(); 1282 assert(UnprivilegedAccess != AS_public && "public access not weeded out"); 1283 1284 // Before we try to recalculate access paths, try to white-list 1285 // accesses which just trade in on the final step, i.e. accesses 1286 // which don't require [M4] or [B4]. These are by far the most 1287 // common forms of privileged access. 1288 if (UnprivilegedAccess != AS_none) { 1289 switch (HasAccess(S, EC, NamingClass, UnprivilegedAccess, Entity)) { 1290 case AR_dependent: 1291 // This is actually an interesting policy decision. We don't 1292 // *have* to delay immediately here: we can do the full access 1293 // calculation in the hope that friendship on some intermediate 1294 // class will make the declaration accessible non-dependently. 1295 // But that's not cheap, and odds are very good (note: assertion 1296 // made without data) that the friend declaration will determine 1297 // access. 1298 return AR_dependent; 1299 1300 case AR_accessible: return AR_accessible; 1301 case AR_inaccessible: break; 1302 } 1303 } 1304 1305 AccessTarget::SavedInstanceContext _ = Entity.saveInstanceContext(); 1306 1307 // We lower member accesses to base accesses by pretending that the 1308 // member is a base class of its declaring class. 1309 AccessSpecifier FinalAccess; 1310 1311 if (Entity.isMemberAccess()) { 1312 // Determine if the declaration is accessible from EC when named 1313 // in its declaring class. 1314 NamedDecl *Target = Entity.getTargetDecl(); 1315 const CXXRecordDecl *DeclaringClass = Entity.getDeclaringClass(); 1316 1317 FinalAccess = Target->getAccess(); 1318 switch (HasAccess(S, EC, DeclaringClass, FinalAccess, Entity)) { 1319 case AR_accessible: 1320 // Target is accessible at EC when named in its declaring class. 1321 // We can now hill-climb and simply check whether the declaring 1322 // class is accessible as a base of the naming class. This is 1323 // equivalent to checking the access of a notional public 1324 // member with no instance context. 1325 FinalAccess = AS_public; 1326 Entity.suppressInstanceContext(); 1327 break; 1328 case AR_inaccessible: break; 1329 case AR_dependent: return AR_dependent; // see above 1330 } 1331 1332 if (DeclaringClass == NamingClass) 1333 return (FinalAccess == AS_public ? AR_accessible : AR_inaccessible); 1334 } else { 1335 FinalAccess = AS_public; 1336 } 1337 1338 assert(Entity.getDeclaringClass() != NamingClass); 1339 1340 // Append the declaration's access if applicable. 1341 CXXBasePaths Paths; 1342 CXXBasePath *Path = FindBestPath(S, EC, Entity, FinalAccess, Paths); 1343 if (!Path) 1344 return AR_dependent; 1345 1346 assert(Path->Access <= UnprivilegedAccess && 1347 "access along best path worse than direct?"); 1348 if (Path->Access == AS_public) 1349 return AR_accessible; 1350 return AR_inaccessible; 1351} 1352 1353static void DelayDependentAccess(Sema &S, 1354 const EffectiveContext &EC, 1355 SourceLocation Loc, 1356 const AccessTarget &Entity) { 1357 assert(EC.isDependent() && "delaying non-dependent access"); 1358 DeclContext *DC = EC.getInnerContext(); 1359 assert(DC->isDependentContext() && "delaying non-dependent access"); 1360 DependentDiagnostic::Create(S.Context, DC, DependentDiagnostic::Access, 1361 Loc, 1362 Entity.isMemberAccess(), 1363 Entity.getAccess(), 1364 Entity.getTargetDecl(), 1365 Entity.getNamingClass(), 1366 Entity.getBaseObjectType(), 1367 Entity.getDiag()); 1368} 1369 1370/// Checks access to an entity from the given effective context. 1371static AccessResult CheckEffectiveAccess(Sema &S, 1372 const EffectiveContext &EC, 1373 SourceLocation Loc, 1374 AccessTarget &Entity) { 1375 assert(Entity.getAccess() != AS_public && "called for public access!"); 1376 1377 if (S.getLangOpts().MicrosoftMode && 1378 IsMicrosoftUsingDeclarationAccessBug(S, Loc, Entity)) 1379 return AR_accessible; 1380 1381 switch (IsAccessible(S, EC, Entity)) { 1382 case AR_dependent: 1383 DelayDependentAccess(S, EC, Loc, Entity); 1384 return AR_dependent; 1385 1386 case AR_inaccessible: 1387 if (!Entity.isQuiet()) 1388 DiagnoseBadAccess(S, Loc, EC, Entity); 1389 return AR_inaccessible; 1390 1391 case AR_accessible: 1392 return AR_accessible; 1393 } 1394 1395 // silence unnecessary warning 1396 llvm_unreachable("invalid access result"); 1397} 1398 1399static Sema::AccessResult CheckAccess(Sema &S, SourceLocation Loc, 1400 AccessTarget &Entity) { 1401 // If the access path is public, it's accessible everywhere. 1402 if (Entity.getAccess() == AS_public) 1403 return Sema::AR_accessible; 1404 1405 // If we're currently parsing a declaration, we may need to delay 1406 // access control checking, because our effective context might be 1407 // different based on what the declaration comes out as. 1408 // 1409 // For example, we might be parsing a declaration with a scope 1410 // specifier, like this: 1411 // A::private_type A::foo() { ... } 1412 // 1413 // Or we might be parsing something that will turn out to be a friend: 1414 // void foo(A::private_type); 1415 // void B::foo(A::private_type); 1416 if (S.DelayedDiagnostics.shouldDelayDiagnostics()) { 1417 S.DelayedDiagnostics.add(DelayedDiagnostic::makeAccess(Loc, Entity)); 1418 return Sema::AR_delayed; 1419 } 1420 1421 EffectiveContext EC(S.CurContext); 1422 switch (CheckEffectiveAccess(S, EC, Loc, Entity)) { 1423 case AR_accessible: return Sema::AR_accessible; 1424 case AR_inaccessible: return Sema::AR_inaccessible; 1425 case AR_dependent: return Sema::AR_dependent; 1426 } 1427 llvm_unreachable("falling off end"); 1428} 1429 1430void Sema::HandleDelayedAccessCheck(DelayedDiagnostic &DD, Decl *decl) { 1431 // Access control for names used in the declarations of functions 1432 // and function templates should normally be evaluated in the context 1433 // of the declaration, just in case it's a friend of something. 1434 // However, this does not apply to local extern declarations. 1435 1436 DeclContext *DC = decl->getDeclContext(); 1437 if (FunctionDecl *fn = dyn_cast<FunctionDecl>(decl)) { 1438 if (!DC->isFunctionOrMethod()) DC = fn; 1439 } else if (FunctionTemplateDecl *fnt = dyn_cast<FunctionTemplateDecl>(decl)) { 1440 // Never a local declaration. 1441 DC = fnt->getTemplatedDecl(); 1442 } 1443 1444 EffectiveContext EC(DC); 1445 1446 AccessTarget Target(DD.getAccessData()); 1447 1448 if (CheckEffectiveAccess(*this, EC, DD.Loc, Target) == ::AR_inaccessible) 1449 DD.Triggered = true; 1450} 1451 1452void Sema::HandleDependentAccessCheck(const DependentDiagnostic &DD, 1453 const MultiLevelTemplateArgumentList &TemplateArgs) { 1454 SourceLocation Loc = DD.getAccessLoc(); 1455 AccessSpecifier Access = DD.getAccess(); 1456 1457 Decl *NamingD = FindInstantiatedDecl(Loc, DD.getAccessNamingClass(), 1458 TemplateArgs); 1459 if (!NamingD) return; 1460 Decl *TargetD = FindInstantiatedDecl(Loc, DD.getAccessTarget(), 1461 TemplateArgs); 1462 if (!TargetD) return; 1463 1464 if (DD.isAccessToMember()) { 1465 CXXRecordDecl *NamingClass = cast<CXXRecordDecl>(NamingD); 1466 NamedDecl *TargetDecl = cast<NamedDecl>(TargetD); 1467 QualType BaseObjectType = DD.getAccessBaseObjectType(); 1468 if (!BaseObjectType.isNull()) { 1469 BaseObjectType = SubstType(BaseObjectType, TemplateArgs, Loc, 1470 DeclarationName()); 1471 if (BaseObjectType.isNull()) return; 1472 } 1473 1474 AccessTarget Entity(Context, 1475 AccessTarget::Member, 1476 NamingClass, 1477 DeclAccessPair::make(TargetDecl, Access), 1478 BaseObjectType); 1479 Entity.setDiag(DD.getDiagnostic()); 1480 CheckAccess(*this, Loc, Entity); 1481 } else { 1482 AccessTarget Entity(Context, 1483 AccessTarget::Base, 1484 cast<CXXRecordDecl>(TargetD), 1485 cast<CXXRecordDecl>(NamingD), 1486 Access); 1487 Entity.setDiag(DD.getDiagnostic()); 1488 CheckAccess(*this, Loc, Entity); 1489 } 1490} 1491 1492Sema::AccessResult Sema::CheckUnresolvedLookupAccess(UnresolvedLookupExpr *E, 1493 DeclAccessPair Found) { 1494 if (!getLangOpts().AccessControl || 1495 !E->getNamingClass() || 1496 Found.getAccess() == AS_public) 1497 return AR_accessible; 1498 1499 AccessTarget Entity(Context, AccessTarget::Member, E->getNamingClass(), 1500 Found, QualType()); 1501 Entity.setDiag(diag::err_access) << E->getSourceRange(); 1502 1503 return CheckAccess(*this, E->getNameLoc(), Entity); 1504} 1505 1506/// Perform access-control checking on a previously-unresolved member 1507/// access which has now been resolved to a member. 1508Sema::AccessResult Sema::CheckUnresolvedMemberAccess(UnresolvedMemberExpr *E, 1509 DeclAccessPair Found) { 1510 if (!getLangOpts().AccessControl || 1511 Found.getAccess() == AS_public) 1512 return AR_accessible; 1513 1514 QualType BaseType = E->getBaseType(); 1515 if (E->isArrow()) 1516 BaseType = BaseType->getAs<PointerType>()->getPointeeType(); 1517 1518 AccessTarget Entity(Context, AccessTarget::Member, E->getNamingClass(), 1519 Found, BaseType); 1520 Entity.setDiag(diag::err_access) << E->getSourceRange(); 1521 1522 return CheckAccess(*this, E->getMemberLoc(), Entity); 1523} 1524 1525/// Is the given special member function accessible for the purposes of 1526/// deciding whether to define a special member function as deleted? 1527bool Sema::isSpecialMemberAccessibleForDeletion(CXXMethodDecl *decl, 1528 AccessSpecifier access, 1529 QualType objectType) { 1530 // Fast path. 1531 if (access == AS_public || !getLangOpts().AccessControl) return true; 1532 1533 AccessTarget entity(Context, AccessTarget::Member, decl->getParent(), 1534 DeclAccessPair::make(decl, access), objectType); 1535 1536 // Suppress diagnostics. 1537 entity.setDiag(PDiag()); 1538 1539 switch (CheckAccess(*this, SourceLocation(), entity)) { 1540 case AR_accessible: return true; 1541 case AR_inaccessible: return false; 1542 case AR_dependent: llvm_unreachable("dependent for =delete computation"); 1543 case AR_delayed: llvm_unreachable("cannot delay =delete computation"); 1544 } 1545 llvm_unreachable("bad access result"); 1546} 1547 1548Sema::AccessResult Sema::CheckDestructorAccess(SourceLocation Loc, 1549 CXXDestructorDecl *Dtor, 1550 const PartialDiagnostic &PDiag, 1551 QualType ObjectTy) { 1552 if (!getLangOpts().AccessControl) 1553 return AR_accessible; 1554 1555 // There's never a path involved when checking implicit destructor access. 1556 AccessSpecifier Access = Dtor->getAccess(); 1557 if (Access == AS_public) 1558 return AR_accessible; 1559 1560 CXXRecordDecl *NamingClass = Dtor->getParent(); 1561 if (ObjectTy.isNull()) ObjectTy = Context.getTypeDeclType(NamingClass); 1562 1563 AccessTarget Entity(Context, AccessTarget::Member, NamingClass, 1564 DeclAccessPair::make(Dtor, Access), 1565 ObjectTy); 1566 Entity.setDiag(PDiag); // TODO: avoid copy 1567 1568 return CheckAccess(*this, Loc, Entity); 1569} 1570 1571/// Checks access to a constructor. 1572Sema::AccessResult Sema::CheckConstructorAccess(SourceLocation UseLoc, 1573 CXXConstructorDecl *Constructor, 1574 const InitializedEntity &Entity, 1575 AccessSpecifier Access, 1576 bool IsCopyBindingRefToTemp) { 1577 if (!getLangOpts().AccessControl || Access == AS_public) 1578 return AR_accessible; 1579 1580 PartialDiagnostic PD(PDiag()); 1581 switch (Entity.getKind()) { 1582 default: 1583 PD = PDiag(IsCopyBindingRefToTemp 1584 ? diag::ext_rvalue_to_reference_access_ctor 1585 : diag::err_access_ctor); 1586 1587 break; 1588 1589 case InitializedEntity::EK_Base: 1590 PD = PDiag(diag::err_access_base_ctor); 1591 PD << Entity.isInheritedVirtualBase() 1592 << Entity.getBaseSpecifier()->getType() << getSpecialMember(Constructor); 1593 break; 1594 1595 case InitializedEntity::EK_Member: { 1596 const FieldDecl *Field = cast<FieldDecl>(Entity.getDecl()); 1597 PD = PDiag(diag::err_access_field_ctor); 1598 PD << Field->getType() << getSpecialMember(Constructor); 1599 break; 1600 } 1601 1602 case InitializedEntity::EK_LambdaCapture: { 1603 const VarDecl *Var = Entity.getCapturedVar(); 1604 PD = PDiag(diag::err_access_lambda_capture); 1605 PD << Var->getName() << Entity.getType() << getSpecialMember(Constructor); 1606 break; 1607 } 1608 1609 } 1610 1611 return CheckConstructorAccess(UseLoc, Constructor, Entity, Access, PD); 1612} 1613 1614/// Checks access to a constructor. 1615Sema::AccessResult Sema::CheckConstructorAccess(SourceLocation UseLoc, 1616 CXXConstructorDecl *Constructor, 1617 const InitializedEntity &Entity, 1618 AccessSpecifier Access, 1619 const PartialDiagnostic &PD) { 1620 if (!getLangOpts().AccessControl || 1621 Access == AS_public) 1622 return AR_accessible; 1623 1624 CXXRecordDecl *NamingClass = Constructor->getParent(); 1625 1626 // Initializing a base sub-object is an instance method call on an 1627 // object of the derived class. Otherwise, we have an instance method 1628 // call on an object of the constructed type. 1629 CXXRecordDecl *ObjectClass; 1630 if (Entity.getKind() == InitializedEntity::EK_Base) { 1631 ObjectClass = cast<CXXConstructorDecl>(CurContext)->getParent(); 1632 } else { 1633 ObjectClass = NamingClass; 1634 } 1635 1636 AccessTarget AccessEntity(Context, AccessTarget::Member, NamingClass, 1637 DeclAccessPair::make(Constructor, Access), 1638 Context.getTypeDeclType(ObjectClass)); 1639 AccessEntity.setDiag(PD); 1640 1641 return CheckAccess(*this, UseLoc, AccessEntity); 1642} 1643 1644/// Checks access to an overloaded operator new or delete. 1645Sema::AccessResult Sema::CheckAllocationAccess(SourceLocation OpLoc, 1646 SourceRange PlacementRange, 1647 CXXRecordDecl *NamingClass, 1648 DeclAccessPair Found, 1649 bool Diagnose) { 1650 if (!getLangOpts().AccessControl || 1651 !NamingClass || 1652 Found.getAccess() == AS_public) 1653 return AR_accessible; 1654 1655 AccessTarget Entity(Context, AccessTarget::Member, NamingClass, Found, 1656 QualType()); 1657 if (Diagnose) 1658 Entity.setDiag(diag::err_access) 1659 << PlacementRange; 1660 1661 return CheckAccess(*this, OpLoc, Entity); 1662} 1663 1664/// Checks access to an overloaded member operator, including 1665/// conversion operators. 1666Sema::AccessResult Sema::CheckMemberOperatorAccess(SourceLocation OpLoc, 1667 Expr *ObjectExpr, 1668 Expr *ArgExpr, 1669 DeclAccessPair Found) { 1670 if (!getLangOpts().AccessControl || 1671 Found.getAccess() == AS_public) 1672 return AR_accessible; 1673 1674 const RecordType *RT = ObjectExpr->getType()->castAs<RecordType>(); 1675 CXXRecordDecl *NamingClass = cast<CXXRecordDecl>(RT->getDecl()); 1676 1677 AccessTarget Entity(Context, AccessTarget::Member, NamingClass, Found, 1678 ObjectExpr->getType()); 1679 Entity.setDiag(diag::err_access) 1680 << ObjectExpr->getSourceRange() 1681 << (ArgExpr ? ArgExpr->getSourceRange() : SourceRange()); 1682 1683 return CheckAccess(*this, OpLoc, Entity); 1684} 1685 1686/// Checks access to the target of a friend declaration. 1687Sema::AccessResult Sema::CheckFriendAccess(NamedDecl *target) { 1688 assert(isa<CXXMethodDecl>(target) || 1689 (isa<FunctionTemplateDecl>(target) && 1690 isa<CXXMethodDecl>(cast<FunctionTemplateDecl>(target) 1691 ->getTemplatedDecl()))); 1692 1693 // Friendship lookup is a redeclaration lookup, so there's never an 1694 // inheritance path modifying access. 1695 AccessSpecifier access = target->getAccess(); 1696 1697 if (!getLangOpts().AccessControl || access == AS_public) 1698 return AR_accessible; 1699 1700 CXXMethodDecl *method = dyn_cast<CXXMethodDecl>(target); 1701 if (!method) 1702 method = cast<CXXMethodDecl>( 1703 cast<FunctionTemplateDecl>(target)->getTemplatedDecl()); 1704 assert(method->getQualifier()); 1705 1706 AccessTarget entity(Context, AccessTarget::Member, 1707 cast<CXXRecordDecl>(target->getDeclContext()), 1708 DeclAccessPair::make(target, access), 1709 /*no instance context*/ QualType()); 1710 entity.setDiag(diag::err_access_friend_function) 1711 << method->getQualifierLoc().getSourceRange(); 1712 1713 // We need to bypass delayed-diagnostics because we might be called 1714 // while the ParsingDeclarator is active. 1715 EffectiveContext EC(CurContext); 1716 switch (CheckEffectiveAccess(*this, EC, target->getLocation(), entity)) { 1717 case AR_accessible: return Sema::AR_accessible; 1718 case AR_inaccessible: return Sema::AR_inaccessible; 1719 case AR_dependent: return Sema::AR_dependent; 1720 } 1721 llvm_unreachable("falling off end"); 1722} 1723 1724Sema::AccessResult Sema::CheckAddressOfMemberAccess(Expr *OvlExpr, 1725 DeclAccessPair Found) { 1726 if (!getLangOpts().AccessControl || 1727 Found.getAccess() == AS_none || 1728 Found.getAccess() == AS_public) 1729 return AR_accessible; 1730 1731 OverloadExpr *Ovl = OverloadExpr::find(OvlExpr).Expression; 1732 CXXRecordDecl *NamingClass = Ovl->getNamingClass(); 1733 1734 AccessTarget Entity(Context, AccessTarget::Member, NamingClass, Found, 1735 /*no instance context*/ QualType()); 1736 Entity.setDiag(diag::err_access) 1737 << Ovl->getSourceRange(); 1738 1739 return CheckAccess(*this, Ovl->getNameLoc(), Entity); 1740} 1741 1742/// Checks access for a hierarchy conversion. 1743/// 1744/// \param ForceCheck true if this check should be performed even if access 1745/// control is disabled; some things rely on this for semantics 1746/// \param ForceUnprivileged true if this check should proceed as if the 1747/// context had no special privileges 1748Sema::AccessResult Sema::CheckBaseClassAccess(SourceLocation AccessLoc, 1749 QualType Base, 1750 QualType Derived, 1751 const CXXBasePath &Path, 1752 unsigned DiagID, 1753 bool ForceCheck, 1754 bool ForceUnprivileged) { 1755 if (!ForceCheck && !getLangOpts().AccessControl) 1756 return AR_accessible; 1757 1758 if (Path.Access == AS_public) 1759 return AR_accessible; 1760 1761 CXXRecordDecl *BaseD, *DerivedD; 1762 BaseD = cast<CXXRecordDecl>(Base->getAs<RecordType>()->getDecl()); 1763 DerivedD = cast<CXXRecordDecl>(Derived->getAs<RecordType>()->getDecl()); 1764 1765 AccessTarget Entity(Context, AccessTarget::Base, BaseD, DerivedD, 1766 Path.Access); 1767 if (DiagID) 1768 Entity.setDiag(DiagID) << Derived << Base; 1769 1770 if (ForceUnprivileged) { 1771 switch (CheckEffectiveAccess(*this, EffectiveContext(), 1772 AccessLoc, Entity)) { 1773 case ::AR_accessible: return Sema::AR_accessible; 1774 case ::AR_inaccessible: return Sema::AR_inaccessible; 1775 case ::AR_dependent: return Sema::AR_dependent; 1776 } 1777 llvm_unreachable("unexpected result from CheckEffectiveAccess"); 1778 } 1779 return CheckAccess(*this, AccessLoc, Entity); 1780} 1781 1782/// Checks access to all the declarations in the given result set. 1783void Sema::CheckLookupAccess(const LookupResult &R) { 1784 assert(getLangOpts().AccessControl 1785 && "performing access check without access control"); 1786 assert(R.getNamingClass() && "performing access check without naming class"); 1787 1788 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 1789 if (I.getAccess() != AS_public) { 1790 AccessTarget Entity(Context, AccessedEntity::Member, 1791 R.getNamingClass(), I.getPair(), 1792 R.getBaseObjectType()); 1793 Entity.setDiag(diag::err_access); 1794 CheckAccess(*this, R.getNameLoc(), Entity); 1795 } 1796 } 1797} 1798 1799/// Checks access to Decl from the given class. The check will take access 1800/// specifiers into account, but no member access expressions and such. 1801/// 1802/// \param Decl the declaration to check if it can be accessed 1803/// \param Ctx the class/context from which to start the search 1804/// \return true if the Decl is accessible from the Class, false otherwise. 1805bool Sema::IsSimplyAccessible(NamedDecl *Decl, DeclContext *Ctx) { 1806 if (CXXRecordDecl *Class = dyn_cast<CXXRecordDecl>(Ctx)) { 1807 if (!Decl->isCXXClassMember()) 1808 return true; 1809 1810 QualType qType = Class->getTypeForDecl()->getCanonicalTypeInternal(); 1811 AccessTarget Entity(Context, AccessedEntity::Member, Class, 1812 DeclAccessPair::make(Decl, Decl->getAccess()), 1813 qType); 1814 if (Entity.getAccess() == AS_public) 1815 return true; 1816 1817 EffectiveContext EC(CurContext); 1818 return ::IsAccessible(*this, EC, Entity) != ::AR_inaccessible; 1819 } 1820 1821 if (ObjCIvarDecl *Ivar = dyn_cast<ObjCIvarDecl>(Decl)) { 1822 // @public and @package ivars are always accessible. 1823 if (Ivar->getCanonicalAccessControl() == ObjCIvarDecl::Public || 1824 Ivar->getCanonicalAccessControl() == ObjCIvarDecl::Package) 1825 return true; 1826 1827 1828 1829 // If we are inside a class or category implementation, determine the 1830 // interface we're in. 1831 ObjCInterfaceDecl *ClassOfMethodDecl = 0; 1832 if (ObjCMethodDecl *MD = getCurMethodDecl()) 1833 ClassOfMethodDecl = MD->getClassInterface(); 1834 else if (FunctionDecl *FD = getCurFunctionDecl()) { 1835 if (ObjCImplDecl *Impl 1836 = dyn_cast<ObjCImplDecl>(FD->getLexicalDeclContext())) { 1837 if (ObjCImplementationDecl *IMPD 1838 = dyn_cast<ObjCImplementationDecl>(Impl)) 1839 ClassOfMethodDecl = IMPD->getClassInterface(); 1840 else if (ObjCCategoryImplDecl* CatImplClass 1841 = dyn_cast<ObjCCategoryImplDecl>(Impl)) 1842 ClassOfMethodDecl = CatImplClass->getClassInterface(); 1843 } 1844 } 1845 1846 // If we're not in an interface, this ivar is inaccessible. 1847 if (!ClassOfMethodDecl) 1848 return false; 1849 1850 // If we're inside the same interface that owns the ivar, we're fine. 1851 if (declaresSameEntity(ClassOfMethodDecl, Ivar->getContainingInterface())) 1852 return true; 1853 1854 // If the ivar is private, it's inaccessible. 1855 if (Ivar->getCanonicalAccessControl() == ObjCIvarDecl::Private) 1856 return false; 1857 1858 return Ivar->getContainingInterface()->isSuperClassOf(ClassOfMethodDecl); 1859 } 1860 1861 return true; 1862} 1863